australia privacy act 1988


The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". A data protection officer ('DPO') (or rather, in Australian terminology, a privacy officer) is not mandated by law in Australia but it is recommended by the Privacy Commissioner and, arguably, recommended if not necessary in practice to comply with APP 1.2.In practice we are seeing more and more privacy officer roles where a substantial part of the job description (or, for large APP entities, some chief privacy officers whose sole responsibility) is privacy compliance. There can be no reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability (although the use of appropriate contractual provisions is a step towards ensuring compliance with the 'reasonable steps' requirement). Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under the Privacy Act. privacy australian act 1988 principles guidelines commissioner The CDR will be extended to at least the retail energy and telecommunications sectors and the expectation is that it will then progressively be rolled out across all sectors of the Australian economy. There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of location and traffic data etc. 1.3 million) in total, not up to AUD 2.1 million x 300,000. Our Privacy Officer will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. as soon as there are reasonable grounds to believe an eligible data breach has occurred) the entity will have to notify the eligible data breach as soon as practicable, assuming it finds reasonable grounds for believing that an eligible data breach has occurred. Australia regulates data privacy and protection through a mix of federal, state and territory laws. APP entities may use the usual means by which they communicate with the relevant affected individuals, if practicable, to notify all affected individuals of the eligible data breach. From 1 July 2020, the consumer data right ('CDR'), introduced by amendments to the Competition and Consumer Act 2010 (Cth) and the Privacy Act, went live for limited data sharing in relation to the four major banks (as the first part of the so called 'open banking regime'). In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice requirements outlined above also apply to any personal information collected from a third party. The disclosure is required or authorized by law or a court/tribunal order. Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities. We are fast approaching the point where, for other than the smallest APP entities with limited personal information, it will be difficult to establish that reasonable steps have been taken to ensure compliance with the Privacy Act/APPs (APP 1.2) without having a privacy officer. Unlike Europe, Australian privacy law does not distinguish between 'data processors' and 'data controllers.'. The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement remedial efforts. In addition, all persons and entities (including usually excluded entities e.g. For example, the Australian Prudential and Regulatory Authority (APRA), which regulates financial services institutions requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS 234), and the Australian Securities and Investment Commission regulates corporations more generally. This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which details the general personal information handling processes of the organisation. A 'permitted general situation' or 'permitted health situation' exists (for example,where the information is required to establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the public). The Uber decision has also made it clear that having (and implementing) an appropriate data destruction and retention policy is required in order to comply with APP 1.2. The key obligations of all APP entities (whether they would be considered data controllers or data processors under the GDPR) under the Privacy Act/APPs include: As regards the information security obligations in APP 11.1, it is important to note that this is not a fixed or static obligation (i.e. In addition, the ACCChas been significantly more active in the 'consumer privacy' space. Other sectors across the economy will be added to the CDR over time. However, this provision should not be used to automatically get 30 days to determine what to do in the case of an eligible data breach. Prevailing 'wisdom' was that the fine would be applied to the activity as a whole (i.e. 119 1988 (as amended), Office of the Australian Information Commissioner, Australian Competition and Consumer Commission, De-identification Decision-Making Framework, Guide to developing an APP privacy policy, Guide to undertaking privacy impact assessments, Commonwealth Bank of Australia enforceable undertaking, Wilson Asset Management enforceable undertaking, Department of Health enforceable undertaking, General Data Protection Regulation (Regulation (EU) 2016/679), Australian Competition and Consumer Commission v Google LLC (No 2), Baden-Wrttemberg: Public Procurement Chamber finds possibility of data access by third countrycontrary to GDPR, Gabon: Law on Electronic Transactions published in Official Journal. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products. There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7) and cross-border disclosure of personal information (APP 8). reynella bicentenary Issue a "technical assistance notice", which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible, Issue a "technical capability notice", which requires a communications provider to build new capabilities to assist the agency. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organization. That is, data processors have the same primary obligations and responsibilities as data controllers under the Privacy Act/APPs. Australia's privacy principles, the APPs, depend upon the meaning of "personal information" (as defined in Privacy Act 1988 s6). breaches of the privacy law) will be increased to up to the greater of AUD 10 million (approx. whether the information or opinion is recorded in a material form or not. By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy. There is no registration requirement in Australia for data controllers or data processing activities. The Privacy Act/APPs regulate the collection, use, holding, and disclosure of the personal information of living individuals by APP entities. breach of the APPs) or repeated invasions of privacy (i.e. gallon ltrs gun total care For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW). In Australia, this is a group of in excess of 300,000 which, even if only a token fine per person is applied by the court, will be a significant amount of money. Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. [2], The Australian Privacy Principles (APPs) replaced the National Privacy Principles and Information Privacy Principles on 12 March 2014 via the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which amended the Privacy Act 1988.[3]. measures that need to be taken to satisfy the obligations). The following is a brief summary of how our privacy policy complies with and/or relates to the specific laws and privacy protection principles put forth by the governments of Australia and New Zealand. All rights reserved. 1.3 million) fine in relation to each of the individuals impacted by the alleged serious invasion of privacy resulting from the Cambridge Analytica activities. In practice a privacy officer is usually from/in the risk or in-house legal functions but it is recommended that they also have some IT and business knowledge/experience. Also, under APP 11.2, the entity is obliged to delete or de-identify personal information (whether or not requested by the individual) once it has been used for the notified purpose(s) of collection and is no longer required by law to be kept in an identifiable form. The Privacy Commissioner, under the Office of the Australian Information Commissioner ("OAIC") is the national data protection regulator responsible for Privacy Act oversight. These apply to private sector organizations (including not for profit organizations) with a turnover exceeding three million dollars, other than health service providers or traders in personal information. This case will likely not be decided until late 2021 but, interestingly, the OAIC has sought to impose the up to AUD 2.1 million (approx. In particular, the Privacy Act establishes the Australian Privacy Principles (APPs) (effective from 12 March 2014) that sets out these key obligations. The Privacy Commissioner is charged with enforcing the Privacy Act/APPs, including receiving and resolving complaints, undertaking own motion investigations and, as a result of any relevant determination, seeking an enforceable undertaking, publishing determinations/decisions, and issuing guidance in respect of the interpretation and enforcement of the Privacy Act/APPs. The OAIC's interpretation of carrying on business in Australia' takes into account the statutory object of the Privacy Act of 'protecting the privacy of individuals and the responsible handling of personal information collected from individuals in Australia'. An "eligible data breach" occurs when the following conditions are satisfied in relation to personal information, credit reporting information, credit eligibility information or tax file information: There is unauthorized access to, or unauthorized disclosure of, or loss of the information, A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious harm to any of the individuals to which the information relates. There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification including in instances where law enforcement related activities are being carried out or where there is a written declaration by the Privacy Commissioner. Additionally, specific requirements for commercial electronic messaging are outlined in Electronic Marketing. Attorney Advertising. 'Data processing records' are not specifically provided for in, or required by, Australian privacy law. The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information. If successful, the resulting fine(s) imposed on Facebook could be staggering and a significant 'game-changer' in Australian privacy. almost irrespective of the number of individuals impacted). Where it is reasonably practicable, we will give our customers access to their personal information, delete the personal information if requested, and retain it only as necessary to provide our services to our customers. All processing (i.e. Furthermore, fines of up to AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed by the Courts for serious or repeated interferences with the privacy of individuals. Health data:'Health information' is part of 'sensitive information' (see above under 'sensitive data') and is defined to include information or opinion about the health including an illness, disability, or injury of an individual, health services provided or to be provided to an individual, and an individual's expressed wishes about future provision of health services that, in all cases, is also 'personal information'. The Commonwealth Government is in the implementation phases of the Consumer Data Right (CDR) following a number of policy reviews including the Productivity Commission's "Data Availability and Use" report and the "Review into Open Banking in Australia". Depending on the organization, and how and by which government agency it is regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. Organizations must provide individuals with required notice on receipt of personal information from a third party, even though they did not collect personal information directly from the individual. While this is not a 'legal basis' for collection, subject to meeting the requirement of APP 3, where there is a contract between the entity and the individual this will usually provide any required consent for the collection. Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place. Thank you for subscribing to our email communication. The Australian Government's Attorney-General's Department is currently undertaking a comprehensive review of the Privacy Act covering consent requirements, exceptions and rights of action. However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act (see Enforcement). The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible, Make "technical assistance requests", to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating to issues of national interest, national security and law enforcement, The Organizations identity and contact information, Anylaw requiring the collection of personal information, The fact that the organizations privacy policy contains information about how the individual may access and seek correction of their personal information, how they may make a complaint about a breach of the APPs and how the organization will deal with such complaint. Over the past 18-24 months, another key development is the increasing role of the Australian Competition and Consumer Commission ('ACCC') in enforcing consumer privacy. Alec is a partner in the Sydney office with significant experience in the financial services, tertiary education, health/life sciences, on-line media and entertainment and Government sectors who provides practical solutions for data privacy and security, cyber and information law, e-commerce including electronic contracting, digital and business transformations, Big Data analytics, IoT, Cloud, Blockchain/cryptocurrencies, tech procurement, sourcing, BPO and Multi-jurisdiction transactions, in these areas in the Asia Pacific.Alec has been recognised as a "Leading Lawyer" in each of IP/IT and Data Privacy areas since 1998, awarded by Best Lawyers Australia as one of Australia's best (i) Outsourcing lawyers and (ii) Data Privacy & Security lawyers, by Who's Who Legal as one of Australia's best Information Technology lawyers, specifically known for privacy and named in Asia Pacific Legal 500 for Data Protection. We only use personal information for the purposes set out in our Privacy Policy and we only disclose such personal information to third party vendors to whom customers link from our service; and. Section 36 of the Act states that Australians may appeal to this Commissioner if they feel their privacy rights have been compromised, unless the privacy was violated by an organization that has its own dispute resolution mechanisms under an approved Privacy Code. becomes aware of the eligible data breach; becomes aware of reasonable grounds to believe an eligible data breach has occurred; or. The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. An Australian will also have the right to access the information unless this is specifically prohibited by law. The most significant of the APPs are summarized below: APP 1 (open and transparent management of personal information) provides that entities must take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs and publish their privacy policy; Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to ensure that the results of that investigation are publicly available. Where a law or court order expressly requires an entity to collect the specified information then that will be sufficient to establish that the precondition has been met. 1.9 million) turnover threshold and not otherwise subject to the Privacy Act/APPs) engaged under a Commonwealth contract and by media organisations, if done in the course of journalism. While this is significant, and still yet to be completed, it appears much more significant that the OAIC may be seeking to apply the fine for each of the approximately 320,000 Australians purportedly affected by Facebook's alleged serious and/or repeated invasions of their privacy. It also includes other personal information collected to provide or in providing a health service, collected in connection with the donation or intended donation by an individual of his or her body parts, organs, or body substances, and genetic information about an individual in a form that is or could be predictive of the health of that individual or genetic relatives. Section 14 of the Act stipulates a number of privacy rights known as the Australian Privacy Principles (APPs). Also, any personal information collected under a consent will be subject to the individual withdrawing their consent to processing. In other words, APP entities should not assume that collecting personal information is always required to meet their requirements; at or before the time or, if that is not practicable, as soon as practicable after an APP entity collects personal information about an individual, take such steps as are reasonable in the circumstances to notify the individual of the matters in APP 5.2, or otherwise ensure that the individual is aware of such matters (APP 5.1); only use the personal information collected for the notified purpose(s) for collection, unless a secondary purpose is permitted by the APPs (but exercise extra caution with secondary purposes) or consented to by the individual (APP 6.1); to take reasonable steps to ensure that the personal information that the APP entity collects, uses, or discloses is accurate, up-to-date, and complete (APP 10); to take reasonable steps in the circumstances to protect the personal information held by the APP entity from misuse, interference, and loss and from unauthorised access, modification, or disclosure (APP 11.1); take reasonable steps to delete or de-identify personal information when it is no longer required for the notified purposes for which it was collected; to notify all eligible data breaches as soon as practicable to the OAIC and all affected individuals; and. Save and organize information most relevant to you, Share your research and collaborate with other DataGuidance users, Get alerts based on your topics of interest, Comparing Comprehensive US State Laws: A guide to compliance, USA: Amended American Data Privacy and Protection Act - Road to a US federal privacy law. A helpful start to understanding one's information security obligations under APP 11.1 is the Privacy Commissioner's guide to securing personal information and the recent Uber decision.